Emerging malware pose increasing challenges to detection systems as their variety and sophistication continue to increase. Malware developers use complex techniques to produce malware variants, by removing, replacing, and adding useless API calls to the code, which are specifically designed to evade detection mechanisms, as well as do not affect the original functionality of the malicious code involved. In this work, a new recurring subsequences alignment-based algorithm that exploits associative rules has been proposed to infer malware behaviors. The proposed approach exploits the probabilities of transitioning from two API invocations in the call sequence, as well as it also considers their timeline, by extracting subsequence of API calls not necessarily consecutive and representative of common malicious behaviors of specific subsets of malware. The resulting malware classification scheme, capable to operate within dynamic analysis scenarios in which API calls are traced at runtime, is inherently robust against evasion/obfuscation techniques based on the API call flow perturbation. It has been experimentally compared with two detectors based on Markov chain and API call sequence alignment algorithms, which are among the most widely adopted approaches for malware classification. In such experimental assessment the proposed approach showed an excellent classification performance by outperforming its competitors.

随着恶意软件种类和复杂度的不断提高，新兴的恶意软件给检测系统带来了越来越大的挑战。恶意软件开发人员使用复杂的技术，通过删除，替换和向代码添加无用的API调用来生成恶意软件变体，这些API调用是专门为逃避检测机制而设计的，并且不会影响所涉及的恶意代码的原始功能。在这项工作中，已经提出了一种利用关联规则的新的基于重复子序列比对的算法来推断恶意软件行为。所提出的方法通过提取未必连续且代表特定恶意软件子集的常见恶意行为的API调用子序列，来利用调用序列中两次API调用转换的可能性，并且还考虑了它们的时间轴。由此产生的恶意软件分类方案能够在运行时跟踪API调用的动态分析场景中运行，因此具有固有的鲁棒性，可抵抗基于API调用流扰动的规避/混淆技术。它已与两个基于马尔可夫链和API调用序列比对算法的检测器进行了实验比较，这两个检测器是最广泛采用的恶意软件分类方法之一。在这样的实验评估中，所提出的方法表现出比竞争对手更好的分类性能。它已与两个基于马尔可夫链和API调用序列比对算法的检测器进行了实验比较，这两个检测器是最广泛采用的恶意软件分类方法之一。在这样的实验评估中，所提出的方法表现出比竞争对手更好的分类性能。它已与两个基于马尔可夫链和API调用序列比对算法的检测器进行了实验比较，这两个检测器是最广泛采用的恶意软件分类方法之一。在这样的实验评估中，所提出的方法表现出比竞争对手更好的分类性能。